First off, let me say that this message is *not* a rant: I simply hope to outline my experiences with the new NPF packet filter, and some of its shortcomings I have observed. This message is intended to spark some discussion on NPF's featureset and will hopefully draw some more attention to a great packet filter so it can get a little more development lovin'.
At this point, I have been running npf as my home's gateway firewall for about 8 months. I am quite happy with it, since it has greatly improved the stability of my network over my previous (expensive, I might add) dd-wrt based router. My VOIP phone has much better sound than before, with little/no garbling even without QoS. Since initial setup, configuration changes have been a breeze. These virtues aside, a number limitations have become obvious. It's entirely possible I am doing something wrong or am uneducated on some points, but here are the issues I've noted:
- No UPnP support as far as I am aware
- No QoS support (ALTQ only works with PF, as far as I am aware)
- NAT Hairpinning is troublesome. For the life of me, I cannot get it to work as intended. To get my internal PCs to resolve my locally-hosted website, I am running inetd with a netcat proxy; npf is redirecting requests to my public IP coming from my internal network to this proxy. Attempting to use npf directly for NAT hairpinning results in simple packet redirection - the source IP isn't rewritten and my webserver tries to directly respond to any client sitting on my home network. A three-legged network setup (external, dmz, internal) DOES fix this, but that isn't what I am interested in!
- 'tree' type blocklists rely on NetBSD's ptree implementation, which is buggy, so it causes crashes after a few dozen entries. Npf is effectively limited to using hashtree blocklists (discrete IPs only, no subnet support) due to this, at least in my experience.
- NPF won't automatically reload the IPs on the interfaces if they change. I have a cronjob doing `npfctl reload` every 5 minutes in case my dynamically-assigned router IP changes. In the past, my IP changed and I was left scratching my head as to why my internet no longer worked...
- No way to group port forwards. For instance, mapping inbound traffic without specifying ports should (in my mind, at least) default to mapping the inbound port to the same port at the destination IP. In practice however, npf randomly chooses a destination port, which I cannot see a use for. I am stuck explicitly setting port forwards, which is really frustrating when I want to expose a large number of ports. It also clutters up an otherwise clean config file with excess lines. Binat works for this, but if you only have one external IP (like me!) then you sadly will lose your internet connection for your other home PCs.
- NPF documentation is also a bit of a sore point. The examples provided in /usr/share do not cover all the common situations that might arise. I found myself doing a lot of 'reverse engineering' to figure out how to best configure my firewall rules. Any plans in the works for a complete NPF wiki page or how-to? I am sure there are a number of more advanced configurations I have no idea about.
As far as I can tell, NPF is intended to be *the* de facto firewall for new NetBSD installations, but it seems like it is lacking just a little too much polish and documentation for new users' to reliably navigate a fresh install. A lot of NPF related "How do I..." style questions seem to have surfaced on netbsd-users as of late, which supports this theory.
--------------------------------
THE TL;DR - I am curious about the 'State of NPF' as it is now. I have not seen a lot of development on the NPF front, and it would be a real shame to let such a great firewall die off. So far, no other netfilter I have worked with has such a clear and compact syntax as NPF does. Does anyone know the current state of development, and what NetBSD users can expect in the near future from npf?
Cheers & TIA,
brkt
(Ryan Brackenbury)